Pwn20wn Qualcomm cDSP 


cp<f> 


Slava Makkaveev 


What processors are on your mobile phone? 


4. Snapdragon SoC 


Kryo CPU (Android) m 


modem DSP (mDSP/baseband) all 


audio DSP (aDSP) di 
compute DSP (cDSP) ER 


Spectra ISP Kejl sensor DSP (sDSP) (® 


DSP assignment 


Low-power processing of audio and voice data 


e 
e Computer vision tasks 
e Machine learning-related calculations 
e Camera streaming 
e Artificial intelligence 
e 
aDSP is responsible for everything Tasks are distributed between aDSP and cDSP 
Snapdragon 835 (MSM8998) : Snapdragon 855 (SM8150): 
- Samsung S8 - Google Pixel 4 
- OnePlus 5 - Samsung S10 


- Sony Xperia XZ Premium - Xiaomi Mi9 


Communication between 
the CPU and DSP 


FastRPC mechanism (AP side) 


DSPRPC 
Framework 


© ioctl 


Android libXXX stub.so /dev/adsprpc-smd 
application » libadsprpc.so /dev/cdsprpc-smd 


» libcdsprpc.so 


FastRPC mechanism (DSP side) 


DSPRPC 
Framework 


fastrpc_shell_0 libXXX_skel.so libXXX.s0 
fastrpc shell 3 


Who can run their own code on DSP? 


Can | compile my own DSP library? Yes 


e Hexagon SDK is publically available 
e Stub and skel code will be generated automatically 


Can | execute this library on DSP? No 


e DSP is licensed for programming by OEMs 
o The code running on the DSP is signed by Qualcomm 

e Android app has no permissions to execute its own code on the DSP 
o Only prebuilt DSP libraries could be freely invoked 


Who manages the DSP? 


QuRT OS 


Kernel PD /vendor/firmware/adsp 


vendor/firmware/cds 
Guest OS PD / / / l 


e ELF 32-bit executable, Qualcomm DSP6 


User PD e Fastrpc shell ELFs 
ee e Dozens of skeleton and object libraries 
/dsp/x 
/vendor/dsp/x 


/vendor/lib/rfsa/adsp/x 


Skipping stub code from the FastRPC flow 


=} 


| Applications Processor | Processor 


int remote_handle_open( 


remote handle *ph 


DSPRPC int remote handle invoke( 
si remote_handle h, 
uint32_t Eo J 


remote_arg | come 8 


Downgrade vulnerability CVE-2020-11209 


We cannot sign a skeleton 
library, but we can execute a 
signed one 


There is no version check of 
loading skeleton libraries 


There are no lists of skeleton 
libraries permitted for the 
device 


B) 
B 
5 


Android application can bring any 
signed skeleton library and run it on the 
DSP 


It is possible to run a very old skel library 
with a known 1-day vulnerability even if 
a patched library exists on the device 


It is possible to run a library intended for 
one device on any other device 


Feedback-based fuzzing of 
Hexagon libraries 


Fuzzing scheme 


D QEMU Hexagon (user mode) 
AFL 


(I [ELA I EE loader ASS _skel.so 
E pbn) 


[rr [rr 
[Luer] liboso 


ETER Le 


Input file format 


method index #8 size of input args 


alue of input args 
CRE 


0000h: 
0010h: 
0020h: 
0030h: 
0040h: 0000 00 00 OO OG 20 OO OG OO OG OG 
0050h: 00 00 OG OG 00 OB på 00 OG OG OG OG OG 


size of output args 


Fuzzing results 


> 400 proven unique crashes in dozens of skeleton libraries 


libfastcvadsp skel.so o  libscveTextReco skel.so 
libdepthmap_skel.so o  libhexagon. nn skel.so 
libscveT2T skel.so o libadsp fd. skel.so 
libscveBlobDescriptor skel.so o  libqvr adsp driver skel.so 
l-ibVCIDecDsp. skel.so o  libscveFaceRecognition, skel.so 
libcamera. nn skel.so o  libthread blur. skel.so 

O 


libscveCleverCapture skel.so 


O O O O O O O 


Do you remember? The skeleton code is auto generated by the 
Hexagon SDK. So, we are dealing with SDK issues! 


Automatically Generated Code 


Qualcomm Interface Definition Language (IDL) 


e Define interfaces across memory protection and processor boundaries 
e Exposes only what that object does, but not where it resides or the 
programming language in which it is implemented 


Hexagon SDK 3.5.1, hexagon_nn 2.10.1 library, hexagon_nn.idl 


op name to id(in string name, rout node id) 


snpprint(in hexagon nn nn id id, inrout sequence<octet> buf) 


Example: Marshaling an in-out buffer 


hexagon_nn_stub.c 


static inline stub method 6(remote handle handle, uint32 t mid, 
uint32 t ine[i], * inl[1]}, uint32 t inllen[1], 
rout1[1], uint32 t routlLen[!]) I 
_pra[®].buf.pv = ( ') primIn; 
 pra[^].buf.nLen = ( primIn); save buffer lengths as data 
COPV( primIn, 4, inilen, l 
COPV( primIn, 8, _routiLen, 
QAIC STUB EXPORT QAIC STUB(hexagon_ nn snpprint)(hexagon nn nn id id, 
buf, bufLen)  QAIC STUB ATTRIBUTE { 
uint32 t mid = | 
stub method 6( hexagon nn handle(), mid, (uint32 t*)&id, 


*)übuf, (uint32 t*)&bufLen, ( **)&buf, (uint32 t*)&bufLen) ; 


Tea split in-out buffer into one in and one out buffer 


Example: Unmarshaling an in-out buffer 


hexagon nn skel.c 


static inline skel method 25( (* pfn)(uint32 t, , Uint32 t) 
uint32 t sc, remote arg* pra) { 


— primIn = pra[0].buf.pv; l . 
signed comparison of the buffer lengths 


COPY( routlLen, 9, primIn, 8, 4); 


ASSERT( nErr, |(int)( routlLen[0]) >= (int)(_inlLen[®])); 


COPY( inlLen, ©, primIn, 


MEMMOVEIF( routl[e], in1[0], ( iniLen[9] * 1)) 


heap overflow 


Hexagon SDK vulnerability GVE-2020-11208 


e Hexagon SDK hiddenly injects vulnerabilities in the DSP libraries provided 
by Qualcomm, OEM and third-party vendors 


e Dozens of DSP libraries embedded in Samsung, Pixel, LG, Xiaomi, OnePlus, 
HTC, Sony and other devices are vulnerable due to issues in Hexagon SDK 


Qualcomm closed ~400 reported issues with one CVE-2020-11208 patch. 
Did you use Hexagon SDK? Recompile your code! 


In addition, CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, 
CVE-2020-11207 were assigned to issues in DSP object Libraries 


Exploiting a DSP vulnerability 


Let’s execute unsigned code on DSP 


libfastcvadsp skel.so library, version 1.7.1 from 
Sony Xperia XZ Premium (G8142) device 


Crash Details are furnished below 
process "/frpc/f0554f20 skel exec" crashed in thread "/frpc/f0554f20 " due to TLBMISS RW occurrence 
Crashed Shared Object ./libfastcvadsp_skel.so load address : OxEE500000 
fastrpc shell 0 load address : E9800000 and size : D6188 
Fault PC : 0xE04582BC 
LR : OxEE54FB08 
SP : 0x3A688B88 
Bad va : 0xD1332491 
FP : 0x3A688BD8 


SSR s 0x21970870 
Call trace: 


[<EE54FB08>] fastcvadsp fcvColorRGB888toYCrCbu8Q+0x808: (./libfastcvadsp skel.so) 
[<EE569B4C>] fastcvadsp_fcvColorCbCrSwapu8Q+0x1C: (./libfastcvadsp skel.so) 
[<EE52D408>] fastcvadsp skel invoke+0xE738: (./libfastcvadsp skel.so) 
[<E9876C68>] mod table invoke+0x22C: (fastrpc shell 0) 
[<E98958DC>] fastrpc invoke dispatch+0x15C: (fastrpc shell 0) 
[<E98712B0>] HAP proc adaptive qos+0x3BC: (fastrpc shell 0) 
[<E9872F8C>] pl fastrpc uprocess+0x794: (fastrpc shell 0) 

End of Crash Report 


Arbitrary read-write in User PD 


method #3F who many half-words to read (the size) 


la 


0000h: 00 03 01 3F OG DF 26 OG OG 4F 23 OG OG OG ØY OG 
0010h: 00 OG OG OG B3 01 OG OG OG OG OG OG 

0020h: 02 OG OG 00 00 EF 00 D3 OG OG OG OG 
0030n: 84790798708 90 00 00 Vega OG OG OG OG OG OG OG 


where to read (the destination) what to read (the source): the offset from the start of 


the first output argument in the DSP heap 


Impact on device security 


Android application gains DSP User PD possibilities: 


e Persistent DoS. Trigger a DSP kernel panic and reboot the mobile device 


e Hide malicious code. Antiviruses do not scan the Hexagon instruction set 


e The DSP is responsible for preprocessing streaming video from camera 
sensors. An attacker can take over this flow 


The next step is to gain privileges of the Guest OS PD! 


QuRT drivers 


QuRT Driver Invocation (QDI) model 


QuRT contains dozens of QDI drivers: 


Guest OS PD /dev/x /drv/x 
/qdi/x /adsp/x 


QDI drivers /power/x /qos/x 


Bop 
libXXX_skel.so » fastrpc shell X » QuRT B QDI driver 
» libqurt.a 


QDI API 


driver name 


pc 


handle = qurt qdi open( LE method number 


(handle >= 0) 1° 
uint32 t clientId = 1: a 
uint32 t result; 


ret = qurt qdi handle invoke(handle, 0x103, clientId, &result); 


} 
QDI handle 0 to 9 optional 32-bit arguments 
{ 
*ptr; 
num; 
) qurt qdi 


QDI feedback-based fuzzing 


QEMU Hexagon (user mode) 


AT QuRT D P 
€ ES (runelf.pbn) mi qdi exec 


QuRT segments 


y 


(real device) 


malloc + memcpy 
patch 


QDI vulnerabilities 


A dozen Snapdragon 855 QDI drivers are vulnerable for PE and DoS attacks 


Any failure in QDI drivers can be used to cause the DSP kernel panic 
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We exploited 
o several arbitrary kernel read and write vulnerabilities in 
/dev/i2c QDI driver 
o two code execution vulnerabilities in 
/dev/glink QDI driver 


Demo. Code execution in Guest OS PD 


Instead of a conclusion 


Qualcomm aDSP and cDSP subsystems are very promising areas for security 
research 


e The DSP is accessible for invocations from third-party Android applications 


e The DSP processes personal information such as video and voice data that 
passes through the device's sensors 


e Aswe have proven, there are many security issues in the DSP components 


Thank you! 
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